Two major pieces of cybersecurity legislation – a Senate-approved bill to reform the Federal Information Security Management Act (FISMA), and another bill to standardize reporting requirements for major cybersecurity incidents – both failed to make the cut in the House-Senate conference version of the fiscal year (FY) 2022 National Defense Authorization Act (NDAA) that passed the House Dec. 7.
Mandatory incident reporting legislation has gained popularity over the past year following the spate of cyberattacks and ransomware attacks on American companies and critical infrastructure over the past two years, and a bill to update the existing 2014 version of FISMA – which governs how Federal agencies pursue cybersecurity efforts – was approved earlier this year by the Senate Homeland Security and Governmental Affairs Committee.
Both legislative efforts fell victim to House and Senate efforts in recent days to come to an agreement on the NDAA bill.
The Senate first passed a version of the NDAA by unanimous consent in June, while the House picked up and passed its own amended version of the defense spending bill in September. The Senate then began working off of the amended House version of the legislation until it hit snags over how to hold its own amendment process.
That problem then led leaders in both chambers to instead angle towards a conference agreement that would make its way through both chambers. That version of the bill was unveiled Dec. 7 and approved by the House on the same day. The NDAA bill still requires Senate approval.
“This bill represents compromise between both parties and chambers – as a result, every single member involved has something in it they like and something that didn’t get into the bill that they wish had,” House Armed Services Committee Chairman Rep. Adam Smith, D-Wash., said in a release. “This year’s procedural realities made the entire process exponentially more difficult.”
“When we get to the end of this arduous process, we often forget the hundreds of provisions we came to agreement on and focus solely on where we could not come to agreement,” Rep. Smith added. “Ultimately, our responsibility as a Congress to provide for the common defense supersedes these areas of disagreement, making the substance of this bill and its signature into law critical.”
The conferenced bill will now head over to the Senate for final consideration and passage. Among the provisions that did make it into the conferenced bill were recommendations from the National Security Commission on Artificial Intelligence, as well as improvements to cyberspace and emerging threat capabilities and major research investments.
As far as FISMA reform, the Office of Management and Budget (OMB) has taken some of that issue into its own hands.
OMB issued updated FISMA guidance Dec. 6 that incorporates some aspects of President Biden’s cyber executive order, lays the foundation for agencies to follow OMB’s zero trust guidance, opens the way for Federal agencies to conduct third-party penetration testing of their networks, and includes an implementation plan for the Cybersecurity and Infrastructure Security Agency’s Incident Response Playbook.
New Debt Limit Measure Passed
The House also took up a measure to make Senate passage of a debt-limit raise easier. The legislation creates a one-time mechanism to allow a debt-limit raise to pass the Senate with a simple 51-vote majority.
The bill passed the House and is heading to the Senate. Senate Majority Leader Chuck Schumer, D-N.Y., and Minority Leader Mitch McConnell, R-Ky., previously announced confidence that a deal would be reached before the Dec. 15 deadline Treasury Secretary Janet Yellen warned about.
The deal allows Democrats to pass a debt-limit raise, potentially through the 2022 midterm elections, without Senate Republicans helping – giving both sides a political win and leaving neither holding the bag for the first-ever default in the nation’s history.
The procedure was added to S.610, “Protecting Medicare and American Farmers from Sequester Cuts Act,” which will also prevent cuts to Medicare that were scheduled to happen at the end of the year without legislation to extend them.